All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to prevent duplicate logs with replicating SEPM servers?

jamesdsteel
Explorer
‎03-13-2019 07:52 AM

Has anyone had any experience with setting up log collection from replicating SEPM servers and preventing duplicate indexing?

We have two SEPM sites that replicate once per day. Currently we're forwarding all of the logs from one of the sites which picks up all of the logs, but leads to a delay of up to 24 hours in collecting logs from the second site.

To prevent the delay, we'd have to start also forwarding from the second site, but I anticipate this would lead to duplicated logs as the replicated logs would be forwarded from both servers.

I was hoping I might be able to blacklist based on a "server" or "site" string in the logs, but I can't find a string common to all logs for each site.

Any suggestions or help appreciated and would love to know if anyone has managed this scenario before.

0 Karma
Reply

lakshman239
Influencer
‎03-13-2019 10:48 AM

Yes, you would receive duplicate logs if you are forwarding from both sites, as that will include replicated logs from each site/database.

I haven't seen unique tag/field to indicate its original or replicated event. However, each event will have host=server1 (in site1) or server2 (from site2). But this may not be helpful, unless there is a way in the Symantec console to write only logs to files that are originated in that site.

Another option (assuming in the DB, we can differentiate replicated logs) would be to use DB connect at each site, but only pull events that are generated in that site, excluding replicated logs. You may then need to extract fields your dashboard/reports etc..

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...